Thanks for your feedbacks, guys!
So we finally decide to implement the same behavior as Hive's first. The
Epic for Column Masking is here:
https://issues.apache.org/jira/browse/IMPALA-8981
We'll start at custom masking types which don't depend on any builtin
masking functions: https://issues.apach
I got a little info from Guther on this. Apparently masking behavior was
being driven by specific costomer(s) at the time and was done for all
column references due to concerns about leaking data. Regardless of the
reasoning, we have to follow the semantics that Hive has at this point. We
could alw
Any sense what the consumers and end users have asked for regarding
behavior?
On Tue, Nov 12, 2019, 1:57 PM Todd Lipcon wrote:
> I'd agree that applying it at the innermost column ref makes the most sense
> from a security perspective. Otherwise it's trivial to "binary search" your
> way to the
I'd agree that applying it at the innermost column ref makes the most sense
from a security perspective. Otherwise it's trivial to "binary search" your
way to the value of a masked column, even if the masking is
completely "xed" out.
I'm surprised to hear that DB2 implements it otherwise, though q
I think compatibility with Hive is pretty important - the default
expectation will be that Ranger policies behave consistently across SQL
engines. I think it would be hard to argue for differing default behaviour
if it's in some sense less secure.
On Tue, Nov 12, 2019 at 12:03 AM Gabor Kaszab
wro
Hey Quanlong,
For me it seems more important not to leak confidential information so I'd
vote for (a). I wonder what others think.
Gabor
On Mon, Nov 11, 2019 at 1:04 PM Quanlong Huang
wrote:
> Hi all,
>
> We are adding the support for Ranger column masking and need to reach a
> consensus on th
Hi all,
We are adding the support for Ranger column masking and need to reach a
consensus on the behavior design.
A column masking policy is something like "only show last 4 chars of phone
column to user X". When user X reads the phone column, the value woule be
something like "x6789" instead
